diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 0e47595..4ea1a63 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -394,6 +394,9 @@ class ContextTests(unittest.TestCase):
         ctx.load_verify_locations(CERTFILE, CAPATH)
         ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
 
+        # Issue #10989: crash if the second argument type is invalid
+        self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
+
     @skip_if_broken_ubuntu_ssl
     def test_session_stats(self):
         for proto in PROTOCOLS:
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 1e4b38a..141b1ae 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1683,7 +1683,7 @@ load_verify_locations(PySSLContext *self, PyObject *args, PyObject *kwds)
         return NULL;
     }
     if (capath && !PyUnicode_FSConverter(capath, &capath_bytes)) {
-        Py_DECREF(cafile_bytes);
+        Py_XDECREF(cafile_bytes);
         PyErr_SetString(PyExc_TypeError,
                         "capath should be a valid filesystem path");
         return NULL;